[asan] Detect dereferencing zero-alloc as heap buffer overflow

[thurstond]

When a zero-byte allocation is requested, ASan actually allocates 1-byte for compatibility. This change poisons that byte, to detect dereferences.

Also updates the test from #155933

[llvmbot]

@llvm/pr-subscribers-compiler-rt-sanitizer

Author: Thurston Dang (thurstond)

Changes

When a zero-byte allocation is requested, ASan actually allocates 1-byte for compatibility. This change poisons that byte, to detect dereferences.

Also updates the test from #155933

---

Full diff: https://github.com/llvm/llvm-project/pull/155943.diff

2 Files Affected:

• (modified) compiler-rt/lib/asan/asan_allocator.cpp (+6)
• (modified) compiler-rt/test/asan/TestCases/zero_alloc.cpp (-4)

diff --git a/compiler-rt/lib/asan/asan_allocator.cpp b/compiler-rt/lib/asan/asan_allocator.cpp
index 9ebe4d08ec8c1..752ba9ab32c71 100644
--- a/compiler-rt/lib/asan/asan_allocator.cpp
+++ b/compiler-rt/lib/asan/asan_allocator.cpp
@@ -547,6 +547,7 @@ struct Allocator {
         ComputeUserRequestedAlignmentLog(alignment);
     if (alignment < min_alignment)
       alignment = min_alignment;
+    bool upgraded_from_zero = false;
     if (size == 0) {
       // We'd be happy to avoid allocating memory for zero-size requests, but
       // some programs/tests depend on this behavior and assume that malloc
@@ -555,6 +556,7 @@ struct Allocator {
       // consecutive "new" calls must be different even if the allocated size
       // is zero.
       size = 1;
+      upgraded_from_zero = true;
     }
     CHECK(IsPowerOfTwo(alignment));
     uptr rz_log = ComputeRZLog(size);
@@ -637,6 +639,10 @@ struct Allocator {
       *shadow = fl.poison_partial ? (size & (ASAN_SHADOW_GRANULARITY - 1)) : 0;
     }
 
+    if (upgraded_from_zero)
+      PoisonShadow(user_beg, ASAN_SHADOW_GRANULARITY,
+                   kAsanHeapLeftRedzoneMagic);
+
     AsanStats &thread_stats = GetCurrentThreadStats();
     thread_stats.mallocs++;
     thread_stats.malloced += size;
diff --git a/compiler-rt/test/asan/TestCases/zero_alloc.cpp b/compiler-rt/test/asan/TestCases/zero_alloc.cpp
index d25164a1e2eb9..e843a5a41f429 100644
--- a/compiler-rt/test/asan/TestCases/zero_alloc.cpp
+++ b/compiler-rt/test/asan/TestCases/zero_alloc.cpp
@@ -1,9 +1,5 @@
 // RUN: %clang_asan -Wno-alloc-size -fsanitize-recover=address %s -o %t && %env_asan_opts=halt_on_error=0 %run %t 2>&1 | FileCheck %s
 
-// ASan doesn't catch this because internally it translates 0-byte allocations
-// into 1-byte
-// XFAIL: *
-
 #include <malloc.h>
 #include <stdio.h>
 

[vitalybuka]

Windows is broken https://lab.llvm.org/staging/#/builders/37

[thurstond]

Windows is broken https://lab.llvm.org/staging/#/builders/37

Same issue that has already been fixed; fix hasn't landed on the Windows bot. Windows bots are surprisingly slow.
e.g., the most recently finished bot run (https://lab.llvm.org/staging/#/builders/37/builds/713) is building off:

Date	August 29, 2025 11:24 AM (8 hours ago)
Revision	0499eb83fa92001d7f72623e2954bf2c340e0f79

[thurstond]

Windows is broken https://lab.llvm.org/staging/#/builders/37

Same issue that has already been fixed; fix hasn't landed on the Windows bot. Windows bots are surprisingly slow. e.g., the most recently finished bot run (https://lab.llvm.org/staging/#/builders/37/builds/713) is building off:

Date	August 29, 2025 11:24 AM (8 hours ago)
Revision	0499eb83fa92001d7f72623e2954bf2c340e0f79

Windows bot is green now: https://lab.llvm.org/staging/#/builders/37/builds/714

[mstorsjo]

This change broke test\asan\TestCases\Windows\heaprealloc_alloc_zero.cpp on 32 bit Windows - see https://github.com/mstorsjo/llvm-mingw/actions/runs/17337326265/job/49243607453:

# error: command failed with exit status: 1
# executed command: FileCheck 'D:\a\llvm-mingw\llvm-mingw\llvm-project\compiler-rt\test\asan\TestCases\Windows\heaprealloc_alloc_zero.cpp'
# .---command stderr------------
# | D:\a\llvm-mingw\llvm-mingw\llvm-project\compiler-rt\test\asan\TestCases\Windows\heaprealloc_alloc_zero.cpp:56:15: error: CHECK-NOT: excluded string found in input
# | // CHECK-NOT: heap-buffer-overflow
# |               ^
# | <stdin>:3:34: note: found here
# | ==7036==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x01d00770 at pc 0x005e140f bp 0x00cffc94 sp 0x00cffc90
# |                                  ^~~~~~~~~~~~~~~~~~~~
# | D:\a\llvm-mingw\llvm-mingw\llvm-project\compiler-rt\test\asan\TestCases\Windows\heaprealloc_alloc_zero.cpp:57:15: error: CHECK-NOT: excluded string found in input
# | // CHECK-NOT: AddressSanitizer
# |               ^
# | <stdin>:3:16: note: found here
# | ==7036==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x01d00770 at pc 0x005e140f bp 0x00cffc94 sp 0x00cffc90
# |                ^~~~~~~~~~~~~~~~
# | 
# | Input file: <stdin>
# | Check file: D:\a\llvm-mingw\llvm-mingw\llvm-project\compiler-rt\test\asan\TestCases\Windows\heaprealloc_alloc_zero.cpp
# | 
# | -dump-input=help explains the following input dump.
# | 
# | Input was:
# | <<<<<<
# |         1: allocated! 
# |         2: ================================================================= 
# |         3: ==7036==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x01d00770 at pc 0x005e140f bp 0x00cffc94 sp 0x00cffc90 
# | not:56                                      !~~~~~~~~~~~~~~~~~~~                                                                     error: no match expected
# | not:57                    !~~~~~~~~~~~~~~~                                                                                           error: no match expected
# |         4: WRITE of size 1 at 0x01d00770 thread T0 
# |         5:  #0 0x005e140e in main D:\a\llvm-mingw\llvm-mingw\llvm-project\compiler-rt\test\asan\TestCases\Windows/heaprealloc_alloc_zero.cpp:12:20 
# |         6:  #1 0x005e10d3 in __tmainCRTStartup /home/runner/work/llvm-mingw/llvm-mingw/mingw-w64/mingw-w64-crt/build-i686/../crt/crtexe.c:236:11 
# |         7:  #2 0x772067f8 (C:\Windows\System32\KERNEL32.DLL+0x6b8167f8) 
# |         8:  #3 0x77df7f4c (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7f4c) 
# |         .
# |         .
# |         .
# | >>>>>>
# `-----------------------------
# error: command failed with exit status: 1

This test has // UNSUPPORTED: asan-64-bits at https://github.com/llvm/llvm-project/blob/main/compiler-rt/test/asan/TestCases/Windows/heaprealloc_alloc_zero.cpp#L3, so this test case isn't executed in most common 64 bit environments.

[thurstond]

This change broke test\asan\TestCases\Windows\heaprealloc_alloc_zero.cpp on 32 bit Windows - see https://github.com/mstorsjo/llvm-mingw/actions/runs/17337326265/job/49243607453:

# error: command failed with exit status: 1
# executed command: FileCheck 'D:\a\llvm-mingw\llvm-mingw\llvm-project\compiler-rt\test\asan\TestCases\Windows\heaprealloc_alloc_zero.cpp'
# .---command stderr------------
# | D:\a\llvm-mingw\llvm-mingw\llvm-project\compiler-rt\test\asan\TestCases\Windows\heaprealloc_alloc_zero.cpp:56:15: error: CHECK-NOT: excluded string found in input
# | // CHECK-NOT: heap-buffer-overflow
# |               ^
# | <stdin>:3:34: note: found here
# | ==7036==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x01d00770 at pc 0x005e140f bp 0x00cffc94 sp 0x00cffc90
# |                                  ^~~~~~~~~~~~~~~~~~~~
# | D:\a\llvm-mingw\llvm-mingw\llvm-project\compiler-rt\test\asan\TestCases\Windows\heaprealloc_alloc_zero.cpp:57:15: error: CHECK-NOT: excluded string found in input
# | // CHECK-NOT: AddressSanitizer
# |               ^
# | <stdin>:3:16: note: found here
# | ==7036==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x01d00770 at pc 0x005e140f bp 0x00cffc94 sp 0x00cffc90
# |                ^~~~~~~~~~~~~~~~
# | 
# | Input file: <stdin>
# | Check file: D:\a\llvm-mingw\llvm-mingw\llvm-project\compiler-rt\test\asan\TestCases\Windows\heaprealloc_alloc_zero.cpp
# | 
# | -dump-input=help explains the following input dump.
# | 
# | Input was:
# | <<<<<<
# |         1: allocated! 
# |         2: ================================================================= 
# |         3: ==7036==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x01d00770 at pc 0x005e140f bp 0x00cffc94 sp 0x00cffc90 
# | not:56                                      !~~~~~~~~~~~~~~~~~~~                                                                     error: no match expected
# | not:57                    !~~~~~~~~~~~~~~~                                                                                           error: no match expected
# |         4: WRITE of size 1 at 0x01d00770 thread T0 
# |         5:  #0 0x005e140e in main D:\a\llvm-mingw\llvm-mingw\llvm-project\compiler-rt\test\asan\TestCases\Windows/heaprealloc_alloc_zero.cpp:12:20 
# |         6:  #1 0x005e10d3 in __tmainCRTStartup /home/runner/work/llvm-mingw/llvm-mingw/mingw-w64/mingw-w64-crt/build-i686/../crt/crtexe.c:236:11 
# |         7:  #2 0x772067f8 (C:\Windows\System32\KERNEL32.DLL+0x6b8167f8) 
# |         8:  #3 0x77df7f4c (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7f4c) 
# |         .
# |         .
# |         .
# | >>>>>>
# `-----------------------------
# error: command failed with exit status: 1

This test has // UNSUPPORTED: asan-64-bits at https://github.com/llvm/llvm-project/blob/main/compiler-rt/test/asan/TestCases/Windows/heaprealloc_alloc_zero.cpp#L3, so this test case isn't executed in most common 64 bit environments.

Sorry for the breakage. I've drafted #156211 which I think will fix it.

[zmodem]

It broke Mac too: https://green.lab.llvm.org/job/llvm.org/job/clang-stage1-RA/5301/testReport/junit/AddressSanitizer-x86_64-darwin/TestCases/zero_alloc_cpp/

Could it just include <stdlib.h> instead of <malloc.h>?

I'll mark it unsupported on mac for now.

[thurstond]

It broke Mac too: https://green.lab.llvm.org/job/llvm.org/job/clang-stage1-RA/5301/testReport/junit/AddressSanitizer-x86_64-darwin/TestCases/zero_alloc_cpp/

Could it just include <stdlib.h> instead of <malloc.h>?

I'll mark it unsupported on mac for now.

Sorry for the breakage, and thanks for marking it unsupported for now.

I'll update it to use <stdlib.h>.